b'August 17, 2001\nEvaluation Report No. 01-002\n\n\nReview of FDIC\'s Background Investigation\nProcess for Prospective and Current Employees\n\x0cFederal Deposit Insurance Corporation\n801 17th Street, N.W., Washington, D.C. 20434                                 Office of Inspector General\n\n\n\n\n                                                    August 17, 2001\n\n\nHonorable Sue W. Kelly\nChairwoman\nSubcommittee on Oversight and Investigations\nCommittee on Financial Services\nHouse of Representatives\nWashington, D.C. 20515\n\nDear Madam Chairwoman:\n\nThis report responds to your request as Chairwoman of the U.S. House of Representatives\nSubcommittee on Oversight and Investigations (Subcommittee) that the Office of Inspector\nGeneral (OIG) evaluate the Federal Deposit Insurance Corporation\xe2\x80\x99s (FDIC) policies, procedures\nand practices under which it conducts, adjudicates, and documents background investigations of\nprospective and current employees. In addition, at the FDIC\xe2\x80\x99s request, we assessed whether the\nCorporation had effectively implemented a process to ensure proper risk designations had been\nassigned to positions.\n\nThis report provides information addressing both of those areas, as well as recommendations we\nmade to the Corporation and its response. The FDIC tentatively agreed with the eight\nrecommendations in this report. The Corporation will issue a memorandum to the OIG by\nSeptember 15, 2001, summarizing planned corrective actions for each of the recommendations in\nthe report, including expected completion dates and documentation that will confirm completion.\nThe OIG will evaluate the FDIC\xe2\x80\x99s planned corrective actions and provide the results of our\nanalysis to the Subcommittee.\n\nAs you requested, we have also provided the Subcommittee with a copy of FDIC Circular\n2120.1, Personnel Suitability Program, dated September 24, 1999, which established the\nresponsibilities, policy requirements, and procedures for the Corporation\'s position risk\ndesignation and background investigation processes.\n\nShould you have any questions or need additional information, please call me at 202-416-2026\nor Russell A. Rau at 202-416-2543.\n\n\nSincerely,\n\n\n[Electronically produced version; original signed by Patricia M. Black for Gaston L. Gianni, Jr.]\nGaston L. Gianni, Jr.\nInspector General\n\n\n\n                                                2\n\x0c                             TABLE OF CONTENTS\n\nINTRODUCTION                                                                                 4\n\nRESULTS IN BRIEF                                                                             4\n\nBACKGROUND                                                                                   5\n\nSUITABILITY POSITION RISK DESIGNATION PROCESS                                                7\n\nThe FDIC Has Not Completed Position Designation Records for All Positions                    8\n\nUSOPM Criteria Were Not Always Consistently Applied in Determining Position Risk\nLevels                                                                                       9\n\nThe FDIC\xe2\x80\x99s Safety and Soundness and Compliance Examiner Positions Have a Lower\nRisk Level Designation Than Public Trust Positions                                          10\n\nADP Responsibilities Were Not Always Considered in Position Risk Designations               11\n\nBACKGROUND INVESTIGATION PROCESS                                                            13\n\n1. Has the Corporation issued policies for conducting, adjudicating, and documenting\nbackground investigations of prospective and current employees?                             13\n\n2. Has the Corporation issued or adopted a set of procedures, known to personnel\nofficers and program managers, under which the policies for investigations of prospective\nand current employees are to be implemented?                                                14\n\n3. Have the procedures been recently reviewed and revised?                                  14\n\n4. How does the FDIC monitor compliance with these procedures?                              15\n\n5. What evidence do you have to demonstrate that the Corporation has implemented\nthese procedures in a manner that minimizes the risk of improper access, use, or\nmanipulation of sensitive private financial data?                                           16\n\n6. Are background investigations of prospective employees conducted prior to hiring?\nProvide analysis demonstrating that Corporation managers adjudicate the results in a\ntimely manner, so troublesome cases are quickly resolved prior to final employment\ndecisions. Provide proof that the results of the investigations are documented in\npersonnel files.                                                                            18\n\n\n\n\n                                               2\n\x0c7. Are current employees periodically re-investigated throughout their careers, and are\nsuch re-investigations adjudicated and documented to the same extent as investigations\nfor prospective employees?                                                                19\n\nCONCLUSIONS AND RECOMMENDATIONS                                                           19\n\nCORPORATION COMMENTS AND OIG EVALUATION                                                   20\n\nAPPENDIX I                                                                                21\n\nEvaluation Methodology\n\nAPPENDIX II                                                                               22\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\nAPPENDIX III                                                                              33\n\nResults of Background Investigation Testing\n\nAPPENDIX IV                                                                               34\n\nCorporation Comments\n\n\n\n\n                                                3\n\x0cINTRODUCTION\n\nWe conducted this review at the request of the Subcommittee on Oversight and Investigations\n(Subcommittee), Committee on Financial Services, U.S. House of Representatives. In its\nApril 25, 2001 request letter, the Subcommittee discussed how important background\ninvestigations are in helping to minimize the risk that sensitive and private financial data utilized\nby federal financial regulatory agencies is improperly accessed, used, or manipulated.\n\nThe Subcommittee asked the OIG to conduct an evaluation of the policies, procedures, and\npractices under which the FDIC conducts, adjudicates, and documents background investigations\nof prospective and current employees. In addition, the FDIC requested that we assess whether\nthe Corporation had effectively implemented a process to ensure that proper risk designations\nhad been assigned to FDIC\xe2\x80\x99s positions.\n\nBased on the Subcommittee\xe2\x80\x99s and FDIC\xe2\x80\x99s requests, the objectives of this review were to\n(1) evaluate FDIC\xe2\x80\x99s process for conducting, adjudicating, and documenting background\ninvestigations of prospective and current employees and (2) assess whether the FDIC has\neffectively implemented a process to ensure that positions have appropriate risk designations.\n\nThe scope of our review included the FDIC employees on board as of June 2, 2001, all\nindividuals hired by the FDIC from January 1, 2000 through June 2, 2001, and all promotions\nand reassignments made at that same time. Details of our methodology are included as\nAppendix I of this report.\n\nWe conducted our evaluation between May 14 and August 15, 2001, in accordance with the\nPresident\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspections.\n\n\nRESULTS IN BRIEF\n\nThe FDIC designed its Personnel Suitability Program to help ensure that the Corporation\nemploys and retains in employment only those individuals who meet all federal requirements for\nsuitability and whose employment or conduct would not jeopardize the accomplishment of\nFDIC\xe2\x80\x99s duties or responsibilities. The Program includes designating each FDIC position at the\nhigh, moderate, or low risk level, based on the documented duties and responsibilities of the\npositions. The designations determine the type of background investigation required and how\nclosely an individual is screened for a position.\n\nBackground investigations are the foundation for, but only a part of, the FDIC\xe2\x80\x99s Personnel\nSuitability Program to determine whether employment or continued employment would protect\nthe integrity and promote the efficiency of the Corporation. Other mechanisms include ethics\nand financial disclosure reporting for employees, continuing evaluations of employee\nperformance and workplace behavior, and employee education. Although background\ninvestigations do not guarantee that individuals will not later engage in unsuitable activities, they\nremain a critical step in identifying those who are suitable and serve as a preventive measure to\nhelp ensure employment and retention of suitable employees.\n\n\n                                                  4\n\x0cRisk designations drive the type and timing of background investigations that employees\nundergo, as well as the adjudication of investigation results. The FDIC needs to do more to\nensure that all corporate positions have risk designations and that such designations are\ncommensurate with assigned responsibilities and reflected accurately in corporate databases.\nMost significantly, the FDIC assigned a low risk designation to nearly all of its safety and\nsoundness and compliance examiners. In addition, the FDIC did not always consider automated\ndata processing (ADP) implications for positions outside of its information resources\nmanagement division. Because of the significance of these issues, we are presenting them in the\nfirst finding section of our report.\n\nAs for the Subcommittee\xe2\x80\x99s questions regarding background investigations, FDIC policies and\nprocedures comply with provisions of applicable federal laws and regulations. The FDIC also\ngenerally conducted, adjudicated, and documented the investigations for current and prospective\nemployees in accordance with policies and procedures. We have organized the information\nrelated to background investigations consistent with the questions included in your request letter\nas a second finding section.\n\n\nBACKGROUND\n\nIt is the FDIC\xe2\x80\x99s policy that employees and applicants for employment undergo appropriate\nbackground investigations commensurate with positions held or being advertised and in\naccordance with relevant laws and federal suitability regulations. According to USOPM,\nsuitability refers to identifiable character traits and past conduct that are sufficient to determine\nwhether a given individual is likely or not likely to be able to carry out the duties of a federal job\nwith appropriate efficiency and effectiveness. Suitability is distinguishable from a person\xe2\x80\x99s\nability to fulfill the qualification requirements of a job, as measured by experience, education,\nknowledge, skills, and abilities.\n\nFDIC Circular 2120.1, Personnel Suitability Program, dated September 24, 1999, establishes the\nresponsibilities, policy requirements, and procedures for the Corporation\xe2\x80\x99s process for\ndesignating the risk level of each employment position and using that designation to determine\nthe investigation requirements for the position. The Security Management Section (SMS),\nAcquisition and Corporate Services Branch, Division of Administration (DOA) has the\nresponsibility to administer the Corporation\'s Personnel Suitability Program.\n\nThe FDIC uses draft U.S. Office of Personnel Management (USOPM) guidance for designating\nposition risk levels, determining the type of investigative review to be conducted, and\nadjudicating suitability based on the results of the investigations. Excerpts of USOPM guidance\nare included as Appendix II of this report. The FDIC also uses the USOPM to conduct all of its\nbackground investigations.\n\nUSOPM personnel suitability guidance provides for designating positions at the high, moderate,\nor low risk level commensurate with the responsibilities and attributes of the position in relation\n\n\n\n\n                                                  5\n\x0cto the efficiency of the service being provided by the organization in which the position resides.\nThe three suitability position risk levels are defined as follows:\n\n\xe2\x80\xa2   High Risk Positions involve duties that are especially critical to the agency or program\n    mission with a broad scope of responsibility and authority, such as: policy-making, policy-\n    determining, and policy-implementing; higher level management duties and assignments, or\n    major program responsibility; and independent spokespersons or non-management positions\n    with authority for independent action.\n\n\xe2\x80\xa2   Moderate Risk Positions involve duties of considerable importance to the agency or program\n    mission with significant program responsibility or delivery of service, such as: assistants to\n    policy development and implementation; mid-level management duties and assignments; and\n    delivery of service positions that demand public confidence or trust.\n\n\xe2\x80\xa2   Low Risk Positions involve duties and responsibilities of limited relation to an agency or\n    program mission, so the potential for impact on the integrity and efficiency of the service is\n    limited.\n\nIncluded in USOPM guidance and FDIC\xe2\x80\x99s Circular 2120.1 are provisions for determining a\nComputer/ADP position risk level at the high, moderate, or low risk levels defined as follows:\n\n\xe2\x80\xa2   High Risk Positions have the potential for exceptionally serious impact involving duties\n    especially critical to the agency mission with broad scope and authority and with major\n    program responsibilities which affect a major Computer/ADP system(s).\n\n\xe2\x80\xa2   Moderate Risk Positions have the potential for moderate to serious impact involving duties of\n    considerable importance to the agency mission with significant program responsibilities that\n    affect large portions of a Computer/ADP system(s).\n\n\xe2\x80\xa2   Low Risk Positions have the potential for impact involving duties of limited relation to the\n    agency mission through the use of Computer/ADP system(s).\n\nThe position risk designation system described above determines the type of investigation\nneeded for the position. Minimum investigative requirements for the position risk levels are:\n\n\xe2\x80\xa2   High Risk \xe2\x80\x93 Background Investigation which consists of a Personal Subject Interview\n    (PRSI); a basic National Agency Check (NAC) plus credit search; personal interviews with\n    employment, residence, educational sources; and law enforcement searches going back 5\n    years. The cost for a Background Investigation is $2,365, $2,570, or $2,775, depending on\n    the speed of service (120 days, 75 days, and 35 days, respectively).\n\n\xe2\x80\xa2   Moderate Risk \xe2\x80\x93 Limited Background Investigation (LBI) or Minimum Background\n    Investigation (MBI) may be conducted. An LBI consists of a PRSI; NAC plus credit search;\n    personal interviews with employment (3 years), residence and educational sources (3 years);\n    and law enforcement searches (5 years). An MBI consists of a PRSI and NAC plus credit\n\n\n\n                                                 6\n\x0c    search covering a 5-year period. The cost for an LBI ranges from $1,950 to $2,260,\n    depending on the speed of service. An MBI costs $395.\n\n\xe2\x80\xa2   Low Risk \xe2\x80\x93 The NAC plus written inquiries sent to employers, educational institutions, law\n    enforcement agencies, and references are required. The FDIC also requires that a credit\n    search be conducted in conjunction with a National Agency Check and Inquiries (NACI)\n    upon initial entry to duty for all appointees. The NACI costs $82.\n\nThough not a substitute for background investigations, the FDIC does have additional means for\ncollecting data to determine employees\' suitability and potential conflicts of interest. The FDIC\nadministers the filing of public and confidential financial disclosure reports required by law for\nfederal employees. For example, all employees, once employed by the FDIC, must file the\nConfidential Report of Interest in FDIC-Insured Depository Institutions Securities (FDIC Form\n2410/07) and Employee Certification and Acknowledgment of Standards of Conduct Regulation\n(FDIC Form 2410/09). In addition, certain employees, including safety and soundness\nexaminers and compliance examiners, are required to file Confidential Report of Indebtedness\n(FDIC Form 2410/06), Confidential Statement of Credit Card Obligation in Insured State\nNonmember Bank and Acknowledgment of Conditions for Retention \xe2\x80\x93 Notice of\nDisqualification (FDIC Form 2410/10), and Confidential Financial Disclosure Report (FDIC\nForm 2410/05) (for examiners graded CG-12 and above), each on an annual basis.\n\n\nSUITABILITY POSITION RISK DESIGNATION PROCESS\n\nThe FDIC has adopted the Risk Designation System established by USOPM to provide corporate\nofficials a systematic, consistent, and uniform way of determining risk levels of positions. The\nRisk Designation System requires FDIC officials to designate risk levels for every position in\nFDIC. Circular 2120.1 directs each FDIC Division or Office Director, or designee, to determine\nthe sensitivity level of the positions in the respective organizations. SMS is responsible for\nadministering the designation process and making adjustments in the designations as deemed\nnecessary. SMS is also responsible for maintaining the Position Designation Records (PDR)\nprepared by officials in the FDIC\xe2\x80\x99s divisions and offices as documentation for the designations.\nA copy of the PDR form can be found in Appendix II.\n\nThe Risk Designation System consists of three parts:\n\n\xe2\x80\xa2   Program Placement. The agency (FDIC) identifies both the impact and scope of an agency\n    program as related to the integrity and efficiency of the service. Program placement\n    categories are major, substantial, moderate, or limited. SMS is responsible for ensuring that\n    each corporate program is properly designated.\n\n\xe2\x80\xa2   Position Risk Points. The agency determines the degree of risk that a position poses to the\n    agency or an agency program as related to the efficiency of the service. Each of five risk\n    factors \xe2\x80\x93 degree of public trust, fiduciary responsibilities, importance to program, program\n    authority level, and supervision received -- is ranked using point values of \xe2\x80\x9c1\xe2\x80\x9d to \xe2\x80\x9c7\xe2\x80\x9d with\n\n\n\n\n                                                7\n\x0c    the higher point value being applied to the higher degree of risk. The point values are totaled\n    to provide the total \xe2\x80\x9cposition risk points\xe2\x80\x9d for a position.\n\n\xe2\x80\xa2   Position Placement. The Program Placement and Position Risk Points are applied to\n    determine the risk level \xe2\x80\x9cposition placement.\xe2\x80\x9d At this point, any pertinent adjustments can be\n    made, including unique factors specific to positions as well as organizational factors, to\n    provide uniformity of operations.\n\nUpon completion of the three parts of the Risk Designation System, an agency decides the final\nplacement of the position and the type of investigation to conduct. Final placement of a position\nfalls into high risk, moderate risk, or low risk.\n\nThe USOPM Risk Designation System also includes criteria for designating Computer/ADP\nposition risk levels. Determining a Computer/ADP position risk level is an adjustment factor on\nthe PDR for both uniqueness and uniformity and tends to raise the risk level designation.\nUSOPM guidance states that its Computer/ADP risk level definitions for high, moderate, and\nlow risk positions should be applied in determining placement for any position with\nComputer/ADP duties. Because positions can involve determinations of risk level for both\nemployment suitability and Computer/ADP, the higher of the two risk levels is used for final\nposition placement. The Computer/ADP definitions are identified in the Background section of\nthis report and can also be found in Appendix II.\n\nThe FDIC Has Not Completed Position Designation Records for All Positions\n\nCircular 2120.1 includes a requirement that corporate officials designate risk levels for every\n(emphasis added) position in the Corporation. Such designations must be commensurate with\nthe responsibilities and attributes of the positions as they relate to the efficiency of the\nCorporation\xe2\x80\x99s operations. The Position Description (PD) \xe2\x80\x93 the official record of management\xe2\x80\x99s\nassignment of duties, knowledge, skills, required abilities, and supervisory relationships of the\nposition \xe2\x80\x93 serves as the basis for designating suitability risk levels. The divisions and offices\ndocument the designations for each PD in the PDR. SMS is responsible for maintaining the\nPDRs for the Corporation\'s positions.\n\nThe FDIC has had a long-standing initiative starting in 1994 to complete risk level designation\nrecords on all PDs in the Corporation. The completion of this initiative has been interrupted by\nconflicting demands on SMS resulting from major events such as: the FDIC/RTC merger; PD\nrewrites; National Treasury Employees Union (NTEU) objections to the Position Risk\nDesignation Project; long-term arbitration activities to resolve NTEU concerns; corporate\nreorganizations; a complete revamping of the Personnel Suitability Program; and an emphasis on\ninitiating background investigations on high risk positions. Some FDIC divisions and offices\ncompleted PDRs in 1997, 1998, and 1999 while SMS continued to identify individuals without\nbackground investigations on file. SMS officials could not be certain that all PDs in the\nCorporation have been properly designated. However, they were certain that all employees in\nhigh risk positions and most of the moderate and low risk employees have the proper background\ninvestigations in process or completed.\n\n\n\n\n                                                 8\n\x0cWe cannot say with certainty that the FDIC has completed PDRs for every PD in the Corporation\nfor the following reasons:\n\n\xe2\x80\xa2   The FDIC has not filed all of its PDRs into its Security database, the Employee Background\n    Investigations Tracking System (EBITS).\n\n\xe2\x80\xa2   We found numerous instances where the Corporation\xe2\x80\x99s Personnel database contained\n    inaccurate designations. For example, the Personnel database reflects low-risk, moderate-\n    risk, and high-risk designations for OIG employees, but all OIG positions have been\n    designated as high risk or critical sensitive for National Security purposes. We attempted to\n    reconcile the discrepancies we found in the Personnel database and provided SMS our\n    information for final resolution. The SMS agreed to coordinate its efforts with DOA\'s\n    Personnel Services Branch (PSB).\n\n\xe2\x80\xa2   Some divisions and offices were completing their PDRs during the course of our review.\n    Only a small percentage of these designations applied to new PDs.\n\n\xe2\x80\xa2   The PD Library on the FDIC internal Web site does not include all PDs. The PSB is in the\n    process of revamping the FDIC\xe2\x80\x99s PD files and anticipates having an accurate count of the\n    FDIC\xe2\x80\x99s PDs upon completion of the revamping project.\n\nUSOPM Criteria Were Not Always Consistently Applied in Determining Position Risk\nLevels\n\nMost division and office officials told us they used the USOPM criteria in designating risk\nlevels for positions in their respective organizations. We reviewed approximately 1,650 PDRs\nand found inconsistencies in the way some divisions and offices applied USOPM criteria to their\npositions. Some divisions and offices did not use the program placement level assigned by SMS\nin factoring the risk levels, resulting in some positions being either under-designated or over-\ndesignated. For example, one office under-designated 32 positions by determining a \xe2\x80\x9climited\xe2\x80\x9d\nprogram placement rather than the \xe2\x80\x9csubstantial\xe2\x80\x9d program placement the SMS designated for this\noffice\xe2\x80\x99s program. Using USOPM criteria and SMS\xe2\x80\x99s \xe2\x80\x9csubstantial\xe2\x80\x9d program placement, we\ndetermined that 10 of the 32 positions should be designated as high-risk, 13 positions should be\ndesignated moderate-risk with a LBI, and 9 positions should be designated moderate-risk with a\nMBI.\n\nWe also found that some divisions and offices designated their Administrative Officer positions\nas moderate risk while the same positions were designated as low-risk in other divisions and\noffices. Some divisions and offices designated their Secretary to the Director positions as\nmoderate-risk, but other organizations designated this position as low risk. FDIC\nadministratively decided that all executive positions in the Corporation are high-risk positions.\n\nSome divisions and offices did not always appropriately consider the supervisory factor for\nsome positions. For example, one office assigned a 3-point score to the degree of supervision\nreceived to each non-executive position in the organization, despite the fact that the grade levels\nof these positions ranged from grade 6 to grade 15. This office did not complete the position\n\n\n                                                9\n\x0crisk points for its executive position, given the global high-risk designation for all executive\npositions.\n\nIn addition, we will be providing our analyses in this area to SMS for further review and\nconsideration.\n\nThe FDIC\xe2\x80\x99s Safety and Soundness and Compliance Examiner Positions Have a Lower Risk\nLevel Designation Than Public Trust Positions\n\nWe determined that the FDIC assigned a low-risk designation to nearly all of its safety and\nsoundness examiner positions and its compliance examiner positions. In making its\ndeterminations, the FDIC assigned 2 points to each of the five risk factors -- degree of public\ntrust, fiduciary responsibilities, importance to program, program authority level, and supervision\nreceived -- resulting in a total 10 points to numerically reflect the degree of risk in the safety and\nsoundness examiner position. The 10-point score was assigned to all but one safety and\nsoundness examiner position ranging from grades CG-11 to CG-15. The FDIC identified the\nprogram placement for the division in which safety and soundness examiners are employed as\nsubstantial. The FDIC did not use the \xe2\x80\x9cadjustments\xe2\x80\x9d feature of the Risk Designation System in\ndetermining the designations for the examiner positions. FDIC\xe2\x80\x99s point-assignment for its\ncompliance examiner positions ranged from a 7-point score for examiner positions CG-5 through\nCG-9 to a 17-point score for examiner positions at the CG-14 grade level\n\nBecause of the low-risk designation, safety and soundness examiners and compliance examiners\nwere only required to undergo a basic NACI, the least comprehensive investigation required, for\nbasic employment suitability determination. According to USOPM guidelines, positions at the\nhigh or moderate risk levels are referred to as \xe2\x80\x9cPublic Trust\xe2\x80\x9d positions. Based on this USOPM\nstatement, it appears that FDIC\xe2\x80\x99s safety and soundness examiners and compliance examiners do\nnot hold \xe2\x80\x9cPublic Trust\xe2\x80\x9d positions. However, the duties identified for a safety and soundness\nexaminer position recently advertised by FDIC imply that an examiner position is one that\ndemands public confidence or trust. Specifically, on July 11, 2001, the FDIC announced an\nopening for a CG-13 examiner position identified as a low-risk position, involving the following\nduties:\n\n       \xe2\x80\x9cThe incumbent will primarily examine insured depository institutions. The\n       individual serves as Examiner-in-Charge of FDIC examinations, with primary\n       responsibility for the preparation of the related report of examination. The\n       incumbent evaluates and prepares written reports on institutions\xe2\x80\x99 trust\n       departments and information systems (IS) departments. The incumbent identifies\n       factors and causes, unsafe and unsound practices, and violations of laws and\n       regulations that have affected, or may affect, the financial condition and\n       soundness of financial institutions. This position involves analyzing and\n       classifying assets; analyzing liabilities and capital; reviewing dividend and\n       charge-off policies; analyzing earnings trends and future prospects; evaluating\n       management and soundness of policies, procedures, and practices; analyzing\n       liquidity and sensitivity to market risks; reviewing trust department and IS\n       department operations and policies; and determining compliance with laws and\n\n\n\n                                                 10\n\x0c       regulations. The incumbent will meet with insured depository institution officials\n       and/or boards of directors to discuss the findings of an examination, corrective\n       programs, and commitments for correction of deficiencies; develop\n       recommendations for correcting weaknesses or deficiencies; write comments and\n       analyses for inclusion in reports of examination; investigate financial institutions\n       applying for deposit insurance; and participate in examinations with other federal\n       and state examiners.\xe2\x80\x9d\n\nThe duties stipulated for this examiner position exceed the representative duties and\nresponsibilities identified in USOPM guidance for a low-risk designation, namely duties and\nresponsibilities of limited relation to an agency or program mission, so the potential for impact\non the integrity and efficiency of the service is limited. The duties for the examiner position also\nexceed the FDIC\xe2\x80\x99s definition of a low-risk position that states: \xe2\x80\x9cLow Risk (LR) positions involve\nduties with limited relations to the Corporation\xe2\x80\x99s mission which have little effect on the\nefficiency of the Corporation\xe2\x80\x99s operations or programs.\xe2\x80\x9d\n\nOther financial regulatory agencies have designated their examiner positions \xe2\x80\x93safety and\nsoundness examiners and compliance examiners \xe2\x80\x93 at a higher than a low-risk level. The Office\nof the Comptroller of the Currency (OCC) designated its associate and assistant examiner\npositions as moderate risk with a MBI. The OCC\xe2\x80\x99s examiner positions at higher grades have\nbeen designated as moderate risk requiring a more extensive LBI. The OCC\xe2\x80\x99s examiner\npositions in its International Banking Finance group have been designated at the high-risk level\nand have National Security Clearances. The Office of Thrift Supervision (OTS) designated its\nexaminer positions \xe2\x80\x93 safety and soundness examiners and compliance examiners \xe2\x80\x93 as moderate-\nrisk positions requiring an MBI. Given the FDIC\xe2\x80\x99s backup authority to participate in safety and\nsoundness examinations of insured institutions for which the Corporation is not the primary\nfederal regulator, it would seem appropriate that position risk designations for FDIC\xe2\x80\x99s examiner\npositions would be at least comparable to examiner positions at other regulatory agencies such as\nthe OCC and OTS.\n\nADP Responsibilities Were Not Always Considered in Position Risk Designations\n\nCircular 2120.1 includes the following explanation for Computer/ADP position risk levels: \xe2\x80\x9cIn\naccordance with Office of Management and Budget (OMB) Circular A-130, Security of Federal\nAutomated Information Resources, Division of Information Resources Management (DIRM) has\nestablished personnel security policies and procedures to assure an adequate level of security for\nthe Corporation\xe2\x80\x99s automated information services. These policies include requirements for\nscreening all individuals having access to sensitive data.\xe2\x80\x9d For computer/ADP positions, the level\nof background checks or investigations ranges from a minimal check to a full background\ninvestigation, depending upon the sensitivity of the information to be handled and the risk and\nmagnitude of loss or harm that could be caused by the individual.\n\nThe FDIC appropriately used USOPM criteria for computer/ADP positions in determining\nposition risk designations for the positions within DIRM and one other division. However, the\nother divisions and offices did not always consider the computer/ADP criteria for positions with\nADP responsibilities, as implied in the title of the position. Such considerations would have\n\n\n\n                                                 11\n\x0cbeen reflected in the adjustments section of the PDR, and in our review of approximately 1,650\nrecords, we found few examples, other than for DIRM and another division, of adjustments\nbeing made due to consideration of the computer/ADP criteria. For example, positions such as\nChief, Information Management Section; Examiner (Information Systems); Supervisory\nInstructional Systems Design Specialist; Personnel Systems Specialist; Senior Information\nManagement Analyst; Financial Systems Specialist; and Payroll/Personnel Systems Specialist\nwere assigned low-risk designations, and the PDRs reflected no adjustments to the designation\nbased on Computer/ADP considerations.\n\nFDIC divisions and offices have Information Security Officers (ISO) with assigned security\nresponsibilities for the systems within their respective organizations. In many cases, the ISO\xe2\x80\x99s\nsecurity responsibilities are considered collateral duties. We identified 162 ISOs from the FDIC\nWeb site and used the Personnel database listing of FDIC employees on board as of\nJune 2, 2001, to determine the position risk designations for the positions held by the ISOs. We\nfound that 61 percent of the ISOs work in positions that have been designated as low risk\npositions by their respective divisions and offices.\n\nGAO recommended in its June 26, 2001 management letter, Financial Audit: Continuing\nWeaknesses in FDIC\xe2\x80\x99s Information System General Controls, that the FDIC study and analyze\nthe ISO role and responsibilities and develop a process to ensure that security responsibilities are\nconsistently applied across the FDIC. In its July 26, 2001 response to GAO, the FDIC said its\nChief Information Officer initiated a project to evaluate the ISO program and to ultimately\ndevelop a \xe2\x80\x9cModel ISO\xe2\x80\x9d organization. A major aspect of the program includes establishing in all\ndivisions full-time Information Security Manager positions, and it is expected to be implemented\nby December 31, 2001. DOA will have to coordinate with the Chief Information Officer to\nensure that the new positions are properly designated and appropriate background checks\nconducted.\n\nThe area of personnel security was included in the weaknesses identified for the FDIC\xe2\x80\x99s\ninformation system general controls by the U. S. General Accounting Office (GAO) in its 1998,\n1999, and 2000 audits of the FDIC\xe2\x80\x99s financial statements. GAO recognized the establishment of\nFDIC\xe2\x80\x99s Personnel Suitability Program in its June 26, 2001 management letter. In its letter, GAO\nreaffirmed its recommendations including one related to personnel security. Specifically, GAO\nrecommended that as the FDIC identifies sensitive positions through risk assessments and\nsecurity reviews of general control systems and major applications, the FDIC should ensure that\nusers in these positions undergo the appropriate background checks. In its July 26, 2001\nresponse to GAO, the FDIC agreed that sensitive positions should be properly identified so that\nthe appropriate level of background check can be performed. The FDIC referenced this OIG\nevaluation of the FDIC\xe2\x80\x99s background investigations process and added that DOA planned to\nevaluate the results of the OIG review and make appropriate changes to the personnel suitability\nprogram as deemed necessary.\n\nWith regard to GAO\xe2\x80\x99s finding that risk assessments and security reviews had not been\ncompleted, the FDIC indicated in its July 26, 2001, response to GAO that Independent Security\nReviews (ISR) will be completed on 28 of 29 major applications and general support systems by\nDecember 31, 2001. As these reviews are completed, DOA will have to be informed of all\n\n\n\n                                                12\n\x0cemployees identified as systems users with access to sensitive data for the respective applications\nand general support systems reviewed so that DOA can revisit the risk designations of those\nemployees. To illustrate, the FDIC issued a report, Independent Security Review of the FDIC\nMainframe, on December 29, 2000, which included a recommended action that the FDIC ensure\nprocedures are in place to alert DOA of all new personnel assignments into sensitive positions to\nprevent any disconnect between the procedures for granting system access to users with a\n\xe2\x80\x9csensitive\xe2\x80\x9d designation and DOA procedures for initiating and conducting the appropriate\nbackground checks.\n\n\nBACKGROUND INVESTIGATION PROCESS\n\nThe Subcommittee requested that our review consider a series of questions related to policies and\nprocedures of the FDIC in conducting, adjudicating, and documenting background investigations\nof prospective and current employees. The following sections contain responses to those\nquestions.\n\n1. Has the Corporation issued policies for conducting, adjudicating, and documenting\nbackground investigations of prospective and current employees?\n\nThe FDIC issued its policies and procedures for conducting, adjudicating, and documenting\ninvestigations of prospective and current employees in Circular 2120.1. We reviewed Circular\n2120.1 and determined that the Circular complied with major provisions of applicable federal\nlaws and regulations related to personnel suitability.\n\nThe directive states that it is the FDIC\xe2\x80\x99s policy that employees and applicants for employment\nundergo a NACI with Credit, or other appropriate background investigation according to the\npositions held, in order to comply with the Resolution Trust Corporation Completion Act\n(RTCCA) and relevant federal suitability regulations. The FDIC\xe2\x80\x99s policy is to employ and retain\nin employment only those persons who meet all federal requirements for suitability \xe2\x80\x93 character,\nreputation, honesty, integrity, trustworthiness \xe2\x80\x93 and whose employment or conduct would not\njeopardize the accomplishment of the Corporation\xe2\x80\x99s duties or responsibilities.\n\nCircular 2120.1 states that applicants, appointees, and employees will be subject to mandatory\nbars outlined in 12 CFR Part 336, Minimum Standards of Fitness for Employment with the\nFederal Deposit Insurance Corporation, which prohibit any person from becoming employed\nby, or providing service to, the FDIC. The mandatory bars are: felony convictions, removal from\nor prohibition from participating in the affairs of an insured institution, defalcation in obligations\nto insured institutions, and causing substantial loss to deposit insurance funds. These mandatory\nbars are also included in the RTCCA. The FDIC requires a credit search with its background\nchecks to comply with the RTCCA.\n\n\n\n\n                                                 13\n\x0c2. Has the Corporation issued or adopted a set of procedures, known to personnel officers\nand program managers, under which the policies for investigations of prospective and\ncurrent employees are to be implemented?\n\nCircular 2120.1 establishes the responsibilities, policy requirements, and procedures for the\nFDIC\xe2\x80\x99s Personnel Suitability Program. The Circular describes general provisions of the FDIC\xe2\x80\x99s\nPersonnel Suitability Program, discusses the suitability position risk designation system, and\nprovides information on investigative requirements, suitability adjudication, record keeping, and\nprogram administration matters. The Circular was issued to all employees on\nSeptember 24, 1999. The provisions of Circular 2120.1 apply to all applicants, appointees, and\nemployees of the Corporation.\n\nAlthough FDIC employees have access to Circular 2120.1 through the FDIC internal Web site,\nthe directive is not accessible to applicants for corporate positions on the FDIC\xe2\x80\x99s external Web\nsite. We reviewed recent FDIC vacancy announcements and found the announcements included\na statement on the position sensitivity and type of background investigation required for the\nadvertised position. For instance, a recent announcement for an examiner-in-charge position\nincluded the following:\n\n       "Position Sensitivity: Low Risk--National Agency Check Investigation\n        Required: see Circular 2120.1, dated 9/24/1999."\n\nHowever, the Circular is not accessible to an applicant without contacting the FDIC to obtain a\ncopy. DOA should consider establishing a link to Circular 2120.1 on the vacancy announcement\nto provide external applicants an easy access to the Circular and an explanation of the\nbackground investigation required for the advertised position.\n\n3. Have the procedures been recently reviewed and revised?\n\nThe FDIC\xe2\x80\x99s current Circular 2120.1, issued on September 24, 1999, is a revision of Circular\n2120.1, Personnel Security Program, dated July 3, 1978. When the FDIC created SMS in late\n1995, the Corporation recognized that the personnel security directive was out of date and\nrequired significant revisions. SMS drafted a revision to the directive. However, a number of\nobjections were raised by NTEU, and the directive could not be finalized until NTEU\xe2\x80\x99s concerns\nwere resolved. Ultimately, SMS met with the NTEU and a federal mediator to resolve the\nconcerns, and a Memorandum of Understanding (MOU) was signed by NTEU and the\nCorporation representing the agreements reached concerning the implementation of the FDIC\xe2\x80\x99s\nsecurity and suitability program insofar as it affects bargaining unit employees.\n\nThe MOU, signed in September 1999, includes the following provisions:\n\n\xe2\x80\xa2   That NTEU be consulted about high risk designations before notifying the employees.\n\xe2\x80\xa2   That a notification to the employee must include an explanation of the reasons why the\n    position has been designated as high risk.\n\xe2\x80\xa2   That all job announcements or other solicitations of interest for positions should identify the\n    position risk designation and the nature of the investigation required.\n\n\n                                                 14\n\x0c\xe2\x80\xa2     That only those employees in positions designated as \xe2\x80\x9cHigh Risk\xe2\x80\x9d will be subject to periodic\n      reinvestigations, which shall occur not more than one in every five years.\n\n4. How does the FDIC monitor compliance with these procedures?\n\nSMS is responsible for implementing the FDIC\'s suitability program. Since its creation in late\n1995, SMS has been involved in various initiatives to monitor and improve the personnel\nsuitability program. Recent efforts include the following:\n\n\xe2\x80\xa2     In 1999, SMS reviewed security and personnel records in Headquarters and regional offices\n      for employees identified as not having suitability investigations. SMS focused its efforts on\n      high risk employees followed by moderate and low risk employees. The Assistant Director,\n      SMS, was very confident that background investigations for all employees designated high\n      risk were either in process or completed. SMS requested that USOPM complete 782\n      investigations during the period from October 1, 2000 to June 15, 2001.\n\n\xe2\x80\xa2     SMS has a database, EBITS, to track information related to the personnel suitability program.\n      SMS said that EBITS had not been populated with background investigation information on\n      all employees. FDIC\'s DIRM recently made SMS-requested modifications to EBITS, but\n      those fields have not been populated with data. SMS does not rely on EBITS, but instead\n      uses Excel spreadsheets, tickler files and manual reports to track background investigations.\n\n\xe2\x80\xa2     The Assistant Director, SMS, is a member of a multi-agency task force, Security Clearance\n      Automation Laboratory, Phase II (SECLEAR II), whose goal is to identify best practices of\n      security management tracking systems. SECLEAR II membership includes representatives\n      from the Departments of Justice, Commerce, and Energy, as well as the FDIC and the\n      USOPM. According to its charter, the mission of SECLEAR II is \xe2\x80\x9c..to create a process to\n      achieve efficient and timely staffing of critical positions by integrating automated security\n      forms and processing capabilities.\xe2\x80\x9d The Assistant Director, SMS, told us that one of the\n      advantages of his participation in SECLEAR II is to learn about best practices that could be\n      applied to EBITS to meet reporting requirements and better integrate EBITS with other\n      personnel systems.\n\n\xe2\x80\xa2     SMS provides DOA senior management and the FDIC\xe2\x80\x99s Office of Internal Control\n      Management a biweekly report on the status of background investigations. As mentioned\n      earlier, SMS uses Excel spreadsheets, tickler files, and manual reports to track the status of\n      background investigations. The latest report, dated August 1, 2001, contained the following:\n\nTable 1: DOA Status Report 08/01/2001\n                                                                             Forms pending    Forms pending\n                 Total      Completed         Pending           In process   completion by    completion for\n    Category    Number     Investigation    Adjudication        at USOPM       employee          interns\n    High Risk        605             549               4                36               16                n/a\n     Low and       5,951           5,684              45               201               17                  4\n    Moderate\n       Risk\n    Total          6,556            6,233                49           237                33                 4\nSource: DOA Background Investigation Status Report 08/01/2001\n\n\n\n                                                         15\n\x0c\xe2\x80\xa2   The DOA Management Review Group (MRG) completes Administrative Compliance\n    Reviews (ACR) for DOA\'s Washington and regional offices. For example, an ACR of the\n    Washington office, dated March 28, 2000, reported that background investigations were\n    completed on all employees hired between January 1999 and June 1999.\n\n\xe2\x80\xa2   The Personnel Suitability Program was reviewed as a part of GAO\'s audit of FDIC\'s financial\n    statements.\n\n\xe2\x80\xa2   SMS is currently completing a self-assessment at the request of and under the supervision of\n    the USOPM.\n\n5. What evidence do you have to demonstrate that the Corporation has implemented these\nprocedures in a manner that minimizes the risk of improper access, use, or manipulation of\nsensitive private financial data?\n\nThe Subcommittee\xe2\x80\x99s request letter emphasizes the importance of background investigations in\nhelping to minimize the risk that sensitive and private financial data utilized by federal financial\nregulatory agencies is improperly accessed, used, or manipulated. The letter states:\n\n       "That risk could arise not only from contractors whose backgrounds have not\n       been sufficiently investigated, but also from the Corporation\'s own employees,\n       prospective and current. It is critical to the safety and security of the financial\n       services industry, and to consumers\' confidence in the industry\'s ability to protect\n       personal financial data, that federal employees with actual or potential access to\n       such data meet stringent security conditions and are subject to periodic\n       investigations throughout their career. Recent disclosures in the intelligence\n       community are an embarrassing reminder that we cannot assume that veteran\n       employees need not be periodically re-investigated. "\n\nThe FDIC\xe2\x80\x99s personnel suitability program was designed to help ensure that the Corporation\nemploys and retains in employment only those individuals who meet all federal requirements for\nsuitability and whose employment or conduct would not jeopardize the accomplishment of the\nFDIC\xe2\x80\x99s duties or responsibilities. Our review showed that the FDIC generally conducted,\nadjudicated, and documented background investigations for current and prospective employees\nin accordance with corporate personnel suitability requirements. However, we cannot\ndemonstrate that the FDIC\xe2\x80\x99s implementation of its personnel suitability program completely\nminimizes the risk of improper access, use, or manipulation of sensitive private financial data\ndue to the issues discussed earlier in this report regarding the FDIC\'s position risk designation\nprocess.\n\nWe reviewed security folders or Official Personnel Folders for 236 of the 240 employees in our\nsample to determine if background investigations were performed and adjudicated. No folders\nwere available for 4 of the 240 employees because they were no longer employed by the FDIC.\n\n\n\n\n                                                 16\n\x0cIn our review of the 236 folders, we found that the FDIC generally conducted, adjudicated, and\ndocumented background investigations according to FDIC policies and procedures except for the\nfollowing:\n\n\xe2\x80\xa2   Background investigations were not completed for two newly hired employees who worked\n    in positions designated as low risk.\n\xe2\x80\xa2   Folders for nine employees did not contain background investigations.\n\xe2\x80\xa2   Folders for eight employees, who work in positions designated as moderate risk, contained\n    evidence of a NACI, a less extensive investigation than the required LBI or MBI for a\n    moderate risk position.\n\nIn regard to the nine employees whose folders contained no evidence of background\ninvestigations, SMS officials told us that other sources, such as USOPM, could be used to\ndetermine if background investigations had been completed for the nine employees. However,\nwe did not complete that alternative testing because we chose to review documentation\nmaintained by the FDIC.\n\nAppendix III summarizes the results of our testing. In addition, we will be providing our\ndetailed analysis in this area to SMS for further review and resolution.\n\nWe reviewed the timeliness of the adjudication process for background investigations after the\nFDIC hires an applicant. The FDIC contracts with USOPM to complete background\ninvestigations. After the investigation is completed, USOPM forwards the investigation and a\npreliminary adjudicating suitability assessment. USOPM may identify issues and grade them on\na scale of A-D, of which D is the most serious. SMS officials could not recall any FDIC cases\nthat were graded D. Furthermore, SMS officials stated that most issues identified by USOPM\nare related to overseas travel and small credit issues.\n\nSMS reviews the background investigation and if necessary completes additional research. In\nsome cases, SMS contacts the employee orally or in writing to get more information. If an issue\nmay have a potential effect on a person\'s employment with the FDIC, SMS contacts the Labor\nand Employee Relations Section of the PSB.\n\nSMS uses USOPM guidance to make an adjudication decision. In addition to adjudicating the\ncase based on USOPM standards, SMS reviews each case file to make sure that there are no\nviolations of the RTCCA.\n\nWe obtained information from security folders on investigations requested and adjudicated by\nSMS. We did not include employees whose background investigations were completed by\nanother agency. There were 98 cases within our sample of 240 employees that included\nsufficient information to determine the timeliness of the adjudication process.\n\nAs shown in Table 2, the average time from completed investigation to FDIC adjudication for 98\ncases was 19 days.\n\n\n\n\n                                               17\n\x0cTable 2: Average Days from Completed Investigation to Adjudication\n                         Number of cases with information on         Average Days from Completed\n       Category          FDIC investigation and adjudication          Investigation to Adjudication\n High Risk                                                   54                                       22\n Moderate Risk                                               11                                       20\n Low Risk                                                     7                                       10\n Promotions and                                              10                                       16\n Reassignments\n New Hires                                                   16                                       17\n Total                                                       98                                       19\nSource: OIG analysis of selected security folders\n\n\n6. Are background investigations of prospective employees conducted prior to hiring?\nProvide analysis demonstrating that Corporation managers adjudicate the results in a\ntimely manner, so troublesome cases are quickly resolved prior to final employment\ndecisions. Provide proof that the results of the investigations are documented in personnel\nfiles.\n\nThe FDIC performs pre-employment checks on prospective employees before they are hired.\nOnce an applicant is selected for a vacancy, the hiring office sends the applicant\xe2\x80\x99s OF-306\n(Declaration for Federal Employment) or resume to SMS. SMS, based on information in the\nOF-306 or resume, does the following:\n\n     \xe2\x80\xa2    Completes a background check,\n     \xe2\x80\xa2    Contacts USOPM to see if they have any record of investigation on the applicant, and\n     \xe2\x80\xa2    Contacts any federal agencies where the applicant has been employed.\n\nIf there are no issues, SMS notifies the hiring office by electronic mail that the applicant can be\nhired by the FDIC. If issues arise during the pre-employment checks that may preclude\nemployment, SMS discusses the issues with the hiring office and PSB. PSB may request\nadditional information or explanation from the applicant. SMS officials said they could not\nremember a recent case of a prospective employee being denied employment at the FDIC.\n\nWe selected a sample of 30 employees hired by the FDIC during the period January 1, 2000\nthrough June 2, 2001. We found that pre-employment checks were conducted for 24 of the 30\nemployees prior to hiring. Those pre-employment checks were completed an average of 29 days\nprior to hiring. The following information is related to the remaining six cases:\n\n\xe2\x80\xa2    Pre-employment checks were not completed for two employees until after they were hired.\n     The pre-employment check was completed an average of 10 days after hiring. However,\n     appropriate background investigations were adjudicated favorably for the two employees.\n\n\xe2\x80\xa2    There was no information in one employee\'s security folder. The employee was a secretary\n     who is now on leave without pay.\n\n\xe2\x80\xa2    There were no security folders for three employees because they were no longer employed by\n     FDIC.\n\n\n\n                                                    18\n\x0c7. Are current employees periodically re-investigated throughout their careers, and are\nsuch re-investigations adjudicated and documented to the same extent as investigations for\nprospective employees?\n\nFDIC Circular 2120.1 states: "The incumbents of Public Trust Positions designated High Risk\nare subject to periodic reinvestigation at least once every 5 years after placement."\n\nOur sample of 240 employees included 26 employees whose periodic reinvestigations were in\nprocess (5 cases) or completed (21 cases). Based on our review, we found that:\n\n\xe2\x80\xa2   The FDIC sent 18 cases to USOPM for investigation an average of 1,810 days after the\n    previous background investigation. The Circular requires a reinvestigation every 5 years\n    (1,825 days).\n\xe2\x80\xa2   The FDIC did not send eight cases to USOPM within 5 years. Those cases were sent to\n    USOPM for investigation an average of 1,982 days after the previous background\n    investigation. The median for the eight cases was 1,907 days.\n\nWe found that the 26 periodic reinvestigations in our sample were documented to the same\nextent as the previous background investigations.\n\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nWe determined that the FDIC has implemented a process for determining suitability risk levels\nfor its positions. However, the FDIC needs to do more to ensure that all corporate positions have\nrisk designations, they are commensurate with assigned responsibilities, and are reflected\naccurately in corporate databases. We also determined that the FDIC generally conducted,\nadjudicated, and documented background investigations for current and prospective employees\nin accordance with the Corporation\xe2\x80\x99s policies and procedures.\n\nWhile the FDIC has undertaken a series of initiatives designed to improve the personnel\nsuitability program, further actions are needed. We recommend that the FDIC:\n\n1. Involve SMS in the Position Description revamping project.\n\n2. Assess the need to complete new Position Designation Records for position risk designations\n   where FDIC divisions and offices inconsistently applied USOPM criteria in making the\n   designations.\n\n3. Consult with the Division of Supervision and Division of Compliance and Consumer Affairs\n   to re-designate position sensitivity levels for their examiner positions to reflect their public\n   trust responsibilities.\n\n4. Ensure that divisions and offices alert SMS of all personnel assignments to positions where\n   users have access to sensitive computer systems or data.\n\n\n\n\n                                                19\n\x0c5. Ensure that SMS coordinates with the Chief Information Officer to ensure that new\n   Information Security Manager positions are properly designated and appropriate background\n   checks are performed.\n\n6. Ensure that all position risk designations are completed and accurately reflected in the\n   Corporation\'s databases.\n\n7. Establish a specific schedule to update the Corporation\xe2\x80\x99s employee security database, EBITS.\n\n8. Consider establishing a link to Circular 2120.1, Personnel Suitability Program, in position\n   vacancy announcements.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn August 15, 2001, the Director, DOA, provided a written response to the draft report. The\nDirector, DOA, tentatively agreed with the eight recommendations. The response is presented in\nAppendix IV of this report.\n\nThe Director, DOA, stated that since the recommendations involve a number of FDIC divisions\nand offices, the DOA Security Management Section will assess each recommendation and will\nwork with the other affected divisions and offices to develop specific action plans. The Director,\nDOA, will issue a separate memorandum to the OIG by September 15, 2001, summarizing the\nplanned corrective actions and providing expected completion dates along with the\ndocumentation that will confirm completion. The OIG will evaluate the FDIC\xe2\x80\x99s planned\ncorrective actions and provide the results of our analysis to the Subcommittee.\n\n\n\n\n                                                20\n\x0c                                                                                   APPENDIX I\n\n                                   Evaluation Methodology\n\nTo address the first objective of evaluating FDIC\xe2\x80\x99s process for conducting, adjudicating, and\ndocumenting background investigations of prospective and current employees, our methodology\nincluded:\n\n\xe2\x80\xa2   Identifying employees on board as of June 2, 2001 and selecting a statistical sample of 240\n    employees to include 30 employees in each of the following categories:\n\n       1.   High Risk Positions located in Headquarters.\n       2.   High Risk Positions located in the eight Regional Offices.\n       3.   Moderate Risk Positions located in Headquarters.\n       4.   Moderate Risk Positions located in the eight Regional Offices.\n       5.   Low Risk Positions located in Headquarters.\n       6.   Low Risk Positions located in the eight Regional Offices.\n       7.   Employees hired by the FDIC during from January 1, 2000 through June 2, 2001.\n       8.   Promotions from January 1, 2000 through June 2, 2001.\n\n\xe2\x80\xa2   Selecting security folders and Official Personnel Folders for the 240 employees to review for\n    evidence of background investigations and adjudicative activities.\n\xe2\x80\xa2   Comparing information in the FDIC\xe2\x80\x99s Personnel database to the FDIC\xe2\x80\x99s Employee Security\n    database.\n\xe2\x80\xa2   Reviewing applicable laws, regulations, USOPM guidance, and FDIC procedures on the\n    requirements for background investigations.\n\xe2\x80\xa2   Interviewing key officials in SMS, divisions, and offices.\n\xe2\x80\xa2   Reviewing management reports, prior audit reports, and Administrative Compliance Review\n    reports.\n\nTo address the objective of assessing whether the FDIC has effectively implemented a process to\nensure that positions have appropriate risk designations, our methodology included:\n\n\xe2\x80\xa2   Reviewing applicable laws, regulations, USOPM guidance related to its Risk Designation\n    System, and FDIC procedures on the requirements for position risk designations.\n\xe2\x80\xa2   Interviewing SMS officials and officials in 16 FDIC divisions and offices to obtain an\n    understanding of the FDIC\xe2\x80\x99s position risk designation process.\n\xe2\x80\xa2   Reviewing approximately 1,650 Position Designation Records completed by 16 divisions and\n    offices.\n\xe2\x80\xa2   Interviewing officials in the Office of the Comptroller of the Currency and Office of Thrift\n    Supervision regarding position risk designations for examiner positions.\n\xe2\x80\xa2   Reviewing U.S. General Accounting Office audit reports, independent security review report,\n    and FDIC vacancy announcements.\n\n\n\n\n                                               21\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           22\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           23\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           24\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           25\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           26\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           27\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           28\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           29\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           30\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           31\n\x0c                                                            APPENDIX II\n\nExcerpts of USOPM Guidance for Position Risk Designations\n\n\n\n\n                           32\n\x0c                                                                                                                                              APPENDIX III\n\n                                                           Results of Background Investigation Testing\n\n  The following table is a summary of the testing for each sample subset:\n\n                                                                 # of                          # of             Total                          Number of Cases\n                                                             Background       Official     Background        Background        Evidence of     Without\n                                             Security       Investigations   Personnel    Investigations    Investigations         No          Background\n                                 Sample       Folders       Completed or      Folders     Completed or     Completed and In   Background       Investigation\n   Category       Universe        Size       Reviewed         In Process     Reviewed       In Process         Process        Investigation    Information\nHigh Risk -         347            30           29                29             1               0                29                0                    1\nDC\nHigh Risk -          103            30           29                29            1              1                 30                0                   0\nRegion\nModerate Risk        780            30            9                 9           21              19                28                0                   2\n- DC\nModerate Risk        524            30            8                 8           22              20                28                0                   2\n- Region\nLow Risk -          1,314           30            8                 8           22              19                27                0                   3\nDC\nLow Risk -          3,427           30            5                 5           25              24                29                0                   1\nRegion\nNew Hires            467            30           27                25            0              0                 25                2                    3\n                                                                                                                                               (No longer employed\n                                                                                                                                                  by the FDIC)\nPromotions          1,832           30           13                13           16              16                29                0                    1\n                                                                                                                                               (No longer employed\n                                                                                                                                                  by the FDIC)\nTotal               8,794          240          128               126          108              99               225                2                   13\n  Source: OIG Analysis of Security Folders and Official Personnel Folders\n\n\n\n\n                                                                                     33\n\x0c                       APPENDIX IV\n\nCorporation Comments\n\n\n\n\n         34\n\x0c'